Is it possible to use a Multi-VSYS Palo Alto to have the active-primary on one Palo Alto and a second VSYS Active-Primary on the second Palo Alto in Active-Active HA mode. I've done this on Cisco Active-Active firewalls but I need to do this on a Palo Alto pair.
Solved! Go to Solution.
On the Palo Alto chassis HA is achieved at the system level meaning that all components are subservient to the state of the chassis, so you can't have a vsys that is active on one, but not on the other chassis
what you can do to achieve a sort of 'vsys spread' among the peers is to use floating IP with a preference priority for one member or the other, wherever you want the specific vsys to receive it's sessions
Agreed, don't think of Active/Active as Active Primary and Active Secondary. Think of them as equal partners both able to process or hand off the same traffic simultaneously. If you really want to do any kind of traffic management and push certain traffic one direction or the other, you need to do this with your routing protocols and NOT a setting on the firewall. Usually this is done by using Anycast with your default gateway so that two physically disparate locations will prefer the Firewall closest to them and not have to traverse or hairpin through come kind of site-to-site interconnect. Does this help?
PS - I love PAN's Active/Active implementation but I only consider it for very specific use cases. If your firewalls are stacked together at the same location, you most likely should be using Active/Passive instead. The goal of Active/Active is NOT to increase throughput. If this is the mindset you are taking, you will most likely be VERY disappointed.
I ran active/active for nearly 2 years.
I would recommend stay away from active / active . what they called A/A is not prod ready
especially if you have asyn routing through the nodes
if you use NAT'ing
Also if you have OSPF this can cause asym routing and issue.
Interesting, I have run Active/Active with OSPF and NAT without a single issue. I'd be curious to know what version of PAN-OS you were using and how you were setting up NAT. The biggest hurdle is understanding how to set up your dynamic routing properly and how to set up NAT with floating IPs to make it work correctly.
I had issues with VIP's and the way they were implemented.
a packet would enter a node, but would be routerd out OSPF backbone into to the other node this would cause issues as the return path would be different and this would affect session setup and lost packets /32 were taking preference over /24 and force packets via a strange path. Should mention with is with VIP for default gateway
with NAT, I was trying to setup a NAT pool, single IP port overload for the internet. It can't be active on both nodes not supported so I was told by support.
its been a year plus now so bit hard to remember the whole details. But I gave up the fight after having a long chat with a L2/L3 support person whilst working through some issue.
From memory the A/A NAT pool setup was to have different SNAT addresses one on each node.
Correct, you cannot use a single IP. You have to have 2 different rules, one for each side. They can however failover for each other. I don't see why this would be a problem though unless you don't have some kind of control (ie - BGP) on the internet side.
Because there would be async routing happenning going out one node and then returning via the other node.
There (at the time) lots of issues. Plus I wanted to use just 1 ip - didn't see the reason to have to waste (duplicate my ip's).
Also had issues with GP, portal , gateway and nat.
Plus -(thinking of other things now). I used a load based VIP - DGW for my vlans, part of my monitoring for DGW from VM's was to ping the DGW - only half would work, cause the /32 for the VIP would only be assigned to the active node and some times - just the way it woked the /32 wouldn't respond on the non active node
so node a node b
node a 192.168.1.2/24
node b 192.168.1.3/24
node a is active so it gets 192.168.1.1/32
sounds okay so far.
Turn on OSPF passive for 192.168.1.0/24
but active for your OSPF backbone - say 192.168.255.0/24 - different interface than above
so ping for 192.168.1.1 going to 192.168.2.3 device see's a route for 192.168.1.1/32 via the OSPF backbone so it send the ping out the OSPF backbone interface - why cause /32 is more precise than /24 and not over the special node to node connection but out the normal interface - of couse the other node then goes why am i getting a 192.168.1.0/24 packet from the OSPF backbone interface ???
Yes. Handling asynchronous routing is the biggest "use case"/reason you would use Active/Active and it handles it very well. Is there a reason you are avoiding asynchronous routing?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!